Dex Role and Rolebinding missing

Question

Dex Role and Rolebinding missing

haf-tech opened this issue 2 years ago · 1 comments

Describe the bug
After creating a new ArgoCD instance with dex enabled, the integration with OpenShift SSO is not working, main reason is the missing DEX role(binding).
In other examples, on the same cluster is the ArgoCD creation with Dex integration working fine

To Reproduce
Steps to reproduce the behavior:

Create new ArgoCD kind
SSO not working
Role and Rolebinding for DEX is not available

Expected behavior
OpenShift SSO is working with ArgoCD

Screenshots
n/a

Additional context
Logs from dex pod

W1114 12:08:00.728631 1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:bla-toolchain-gitops:bla-toolchain-gitops-argocd-dex-server" cannot list resource "secrets" in API group "" in the namespace "bla-toolchain-gitops"
E1114 12:08:00.728667 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:bla-toolchain-gitops:bla-toolchain-gitops-argocd-dex-server" cannot list resource "secrets" in API group "" in the namespace "bla-toolchain-gitops"

oc get role -n bla-toolchain-gitops
NAME                                                 CREATED AT
bla-toolchain-gitops-applicationset-controller       2022-11-14T09:15:18Z
bla-toolchain-gitops-argocd-application-controller   2022-11-14T09:15:15Z
bla-toolchain-gitops-argocd-redis                    2022-11-14T09:15:15Z
bla-toolchain-gitops-argocd-server                   2022-11-14T09:15:15Z
bla-toolchain-gitops-read                            2022-11-14T09:15:15Z

ArgoCD Kind spec

spec:
  server:
    autoscale:
      enabled: false
    grpc:
      ingress:
        enabled: false
    ingress:
      enabled: false
    resources:
      limits:
        cpu: 500m
        memory: 256Mi
      requests:
        cpu: 50m
        memory: 128Mi
    route:
      enabled: true
      tls:
        termination: reencrypt
    service:
      type: ''
  grafana:
    enabled: false
    ingress:
      enabled: false
    route:
      enabled: false
  prometheus:
    enabled: false
    ingress:
      enabled: false
    route:
      enabled: false
  applicationSet:
    resources:
      limits:
        cpu: 500m
        memory: 1Gi
      requests:
        cpu: 50m
        memory: 512Mi
  rbac:
    defaultPolicy: ''
    policy: |
      g, bla-toolchain, role:admin
    scopes: '[groups]'
  repo:
    resources:
      limits:
        cpu: '1'
        memory: 1Gi
      requests:
        cpu: 50m
        memory: 256Mi
  resourceExclusions: |
    - apiGroups:
      - "tekton.dev"
      kinds:
      - "PipelineRun"
      - "TaskRun"
      clusters:
      - "*"
  dex:
    groups:
      - bla-toolchain
    openShiftOAuth: true
    resources:
      limits:
        cpu: 500m
        memory: 256Mi
      requests:
        cpu: 50m
        memory: 128Mi
  ha:
    enabled: false
    resources:
      limits:
        cpu: 500m
        memory: 256Mi
      requests:
        cpu: 50m
        memory: 128Mi
  tls:
    ca: {}
  redis:
    resources:
      limits:
        cpu: 500m
        memory: 256Mi
      requests:
        cpu: 50m
        memory: 128Mi
  controller:
    processors: {}
    resources:
      limits:
        cpu: '1'
        memory: 2Gi
      requests:
        cpu: 250m
        memory: 1Gi
    sharding: {}

OpenShift 4.10.4
OpenShift GitOps 1.5.6

Answer 1 · 2022-11-24T14:57:06.000Z

The problem is, if dex.groups is used.
I do not face the issue, if dex.groups is empty/not set!